IPv6 intro creates spam-filtering nightmare
Blacklist extinction looms
The migration towards IPv6, which has been made necessary by the expansion of the internet, will make it harder to filter spam messages, service providers warn.
The current internet protocol, IPv4, has a limited address space which is reaching exhaustion* thanks to the fast uptake of internet technology in populous countries such as India and China and the more widespread use of smartphones. IPv6 promises 3.4 x 1038 addresses compared to the paltry 4.3 billion (4.3 x 109) addresses offered by IPv4.
While this expansion allows far more devices to have a unique internet address, it creates a host of problems for security service providers, who have long used databases of known bad IP addresses to maintain blacklists of junk mail cesspools. Spam-filtering technology typically uses these blacklists as one (key component) in a multi-stage junk mail filtering process that also involves examining message contents.
"The primary method for stopping the majority of spam used by email providers is to track bad IP addresses sending email and block them – a process known as IP blacklisting," explained Stuart Paton, a senior solutions architect at spam-filtering outfit Cloudmark. "With IPv6 this technique will no longer be possible and could mean that email systems would quickly become overloaded if new approaches are not developed to address this."
Other security technologies also track IP addresses for various purposes, including filtering out sources of denial of service attacks, click fraud and search engine manipulation. Tracking a vastly expanded IP address space will make life much harder for network defenders, Paton warns.
"As an example, the address space is so large that it would be easy for spammers to use a single IP address just once to send a single email," he said.
The information security industry and ISPs need to collaborate on working out how to resolve the problem in order to make sure inboxes are not flooded with more junk mail thanks to the introduction of the new internet-address protocol. In the meantime, Cloudmark suggests interim restriction might need to be applied to preserve existing systems.
"Cloudmark advocates that ISPs do not initially need to be able to receive mail from IPv6 addresses (on inbound) except from their own customers (known as outbound)," Paton explained. "This would ensure business continuity for ISPs and provisioning of ADSL/Cable modems to continue. This measure will also protect the IPv4 reputation system that is currently in use and working well."
Paul Wood, an anti-spam expert at Symantec.cloud (formerly MessageLabs), confirmed that other security firms are also considering whether to apply tougher controls on mail from IPv6 networks. "It [IPv6] is definitely a real area of concern in the anti-spam community, and opinion varies on whether businesses should accept mail on IPv6 or not for this reason," Woods told El Reg. "I'm of the opinion that at least for the moment they shouldn't, unless the connections are from a trusted source."
Email is a two-way communication protocol (unlike web browsing), so legitimate IPv6 mail servers, outside of academia and testing environments, will need to support IPv4 for some years. "Relatively speaking, there are very few real mail servers in the world, so the starvation of IPv4 will not affect them much because there will for a very long time be a resale market in the IPv4 address space," Wood added.
Wood told El Reg that although the move to IPv6 is a bit of a headache for spam-filtering, it might also make life harder for hackers hoping to take advantage of open relays to distribute spam or mount other types of security attacks.
"While the arrival of IPv6 is likely to eliminate the usefulness of traditional IP-based blacklists, it is also likely to reduce the issues that arise from port-scanning of open relays and other vulnerabilities," Wood explained. "The IPv6 address space is so large it wouldn't be scalable from the bad-guys perspective – the returns will diminish over time." ®
* Although the last big blocks of IPv4 address space were allocated last month, there is plenty of assigned but unused space, estimated to be as high as 50 per cent by some experts. That means the resale market for IPv4 addresses is likely to last several years, at minimum.
Sponsored: 2016 Cyberthreat defense report